Email Setup

5/13/2018 Email Setup

1/43

CitiDirectOnline BankingAutomated File and Report Delivery (AFRD):E-Mail Set Up GuideApril 2005

t group o a ransac t on er

Proprietary and Confidential

These materials are proprietary and confidential to Citibank, N.A., and are intended for theexclusive use of CitiDirect Online Banking customers. The foregoing statement shall appearon all copies of these materials made by you in whatever form and by whatever means,electronic or mechanical, including photocopying or in any information storage system. Inaddition, no copy of these materials shall be disclosed to third parties without express writtenauthorization of Citibank, N.A.


2/43

Please Note:

The information contained in this section is intended to assist you in establishing the environment

and configuration required to successfully use CitiDirect Online Banking Automated File and

Report Delivery (AFRD).

It provides details on obtaining and installing end-user certificates, configuring the Web server

and generating key pairs. Screen shots are provided for aid in understanding the instructions,although the actual screens may differ. We tried to cover some of the more common vendorproducts. It is not intended to replace information that you should obtain directly from your e-mail

vendor, certificate authority of choice, and Web server vendor.


3/43

AFRD E-Mail Set Up Guide 3

Table Of Contents

Table Of Contents............................................................................................................... 3Introduction ......................................................................................................................... 4Overview ............................................................................................................................. 4

Obtaining Your Personal E-mail Certificate ................................................................ 4Setting up your E-mail Client for S/MIME.................................................................... 4Obtaining the Citigroup Certificate Authority Certificate ............................................. 6

Setting Up Your E-mail Client for S/MIME.......................................................................... 6Microsoft Outlook 2000............................................................................................ 6Microsoft Outlook Express 5.X.................................................................................. 20Microsoft Outlook Express 4.0 .................................................................................. 21Microsoft Outlook 98.................................................................................................. 21Netscape 4.x (Communicator/Messenger) ............................................................... 22Netscape Communicator/Messenger........................................................................ 25Lotus Notes .............................................................................................................. 26

Retrieving the Citigroup CA (root) Certificate ................................................................... 27Retrieving the Citigroup CA (root) Certificate Using IE:............................................ 28Retrieving the Citigroup CA (root) Certificate Using Netscape:................................ 30

File and Report Processing via E-Mail ............................................................................. 30Understanding E-Mail Security (S/MIME) ................................................................. 30End-User Certificate Requirements (e-mail) ............................................................. 31General Characteristics of AFRD E-Mail Delivery .................................................... 32CitiDirect Processing (Sign, Encrypt and Send) ....................................................... 32

Client Processing (Verify Signature, Decrypt and View).............................................. 32S/MIME E-Mail Support ............................................................................................. 33E-Mail Programs that do NOT Support S/MIME ....................................................... 33S/MIME Plug-ins for Entrust Enterprise Certificates ................................................. 34

AFRD Installation/Requirements Check List.................................................................... 34Client Functionality Requested.................................................................................. 34Type A Requirements ............................................................................................. 34Type B Requirements SMTP S/MIME (e-mail).................................................. 34Type C Requirements HTTPS (Web server)........................................................ 35Type D Requirements HTTPS - SSL Encryption Only (Web server)..................... 36

Disclaimer.......................................................................................................................... 43


4/43


Introduction

Automated File and Report Delivery was designed to be secure but flexible, usingcommon standards and tools wherever possible. In most cases you can choose from a

number of different Web servers, mail clients, Certificate Authorities (CA), etc., that meetAFRD requirements. Because of this, it is impossible to fully document, in detail, theinstallation and configuration of every workable scenario. This guide definesrequirements, lists solutions that have been tested by Citibank, and offers othersuggestions. In addition, it provides details around the certificate process for popular e-mail programs and the set up and creation of certificates for approved Web servers.These details are only intended as a useful referenceand in no way are meant toreplace product specific documentation that you should reference to best accomplish therequired activities.

Please refer to the Automated File and Report Delivery Configuration andInstallation Guide as a prerequisite reading before proceeding with this guide.

Overview

Obtaining Your Personal E -mail Certificate

CitiDirect Online Banking supports any X.509v3 compliant Personal / E-mail certificateissued by a standard Certificate Authority (CA), such as VeriSign

or Thawte.

Moreover, if you have your own Certificate Server installed, such as Microsoft

Certificate Server or Netscape

Certificate server. CitiDirect Online Banking will alsohonor these certificates.

Although we do not require a specific certificate from a specific CA, Citibank stronglyrecommends that you deal with a reputable CA with auditable policies and procedureson certificate issuance and administration.

Please refer to the Digital Certificate Summary grid in the Configuration and InstallationGuide for general requirements and general end-user experience in obtaining andinstalling digital certificates. Once you obtain your certificate you will need to import itinto your e-mail desktop personal computer (PC) and ensure that your e-mail is properlyset up.

Please use these instructions solely as a reference of what needs to occur. Follow yourproducts specific documentation on how best to accomplish this activity.

Setting up your E -mail Client for S/MIME

What follows is a step-by-step process of what needs to be done to enable some of themore popular e-mail programs for S/MIME. Although the following instructions areconsidered accurate (as of the date of this document), Citibank strongly suggests thatyou follow your products specific user guides to configure your e-mail program forSMIME.


5/43


Complete instructions and screen shot are included, as an example, for Microsoft

Outlook

2000. More of an overview and guidelines are provided for the other e-mailprograms.


6/43


Obtaining the Citigroup Certificate Authority Certificate

The last process in this section provides instructions for obtaining the Citigroup CA

Certificate. This is required for AFRD e-mail delivery and must also be imported intoyour e-mail client.

Setting Up Your E-mail Client for S/MIME

Microsoft Outlook 2000

These instructions apply specifically to Microsoft Outlook 2000 on Microsoft Windows2000.

One way to get a digital certificate is to use a wizard in Outlook 2000. Select Tools, then

Optionsfrom the pull-down menu. This will open up the Options dialog box. Select theSecurity tab. Select the Get a Digital IDbutton.

Selecting this button (Get a Digital ID) will launch your browser and display a Web pagehosted by Microsoft with links to several Certificate Authorities. Pick a CA and follow

their instructions on obtaining a personal/e-mail digital certificate.

During the certificate retrieval process, you will be asked to install the certificate in thebrowser/e-mail client of your choosing. In this case Microsoft Outlook 2000. Click theInstall button.

The following steps illustrate the entire process, using VeriSign as a typical CA. Theactual experience will vary according to the CA you have selected.


7/43


Select the VeriSign Link.

Go to Products and Services


8/43


Select Secure Messaging under Retail Services

For illustration purposes, we will Try a Digital ID Free for 60 Days.


9/43


Enroll Now for a Class 1 Digital ID

Complete the application.


10/43


For the

Cryptographic Service Provider Name: select Microsoft Strong Encryption Encoder.

Since these digital certificates are tied to an individual e-mail address, confirm that the address iscorrect. This completes the application process. VeriSign will send an e-mail confirmation.


11/43


A second e-mail, Quick Installation Instructions, provides your Digital ID PIN and

the URL to get your certificate.


12/43


Go to the URL provided, enter PIN, and click Submit. This installs the certificate in your browser.

In your Browser, go to Tools, Internet Options, Content, and Certificates. From this screen youcan: view the certificate by highlighting it and selecting View.


13/43


Select Advanced and click on the Details tab for further information

Or you can

Press the Export button. You have a choice to export your certificate with or without the PrivateKey. If you need to export your certificate so that you can Import it into your mail client, choosethat option.


14/43


Note: If both your browser and mail client are Microsoft products, this should not be necessary.

The illustration below shows you Exporting only your Public Key. This will be needed later, as itmust be uploaded to CitiDirect

Online Banking (S/MIME) Administration Service Class for you to

be able to use Automated File and Report Delivery.

CitiDirect Online Banking only needs the Public Key.

Save the key to an easily remembered file on your PC.


15/43


If you do need to install the entire certificate (Public and Private Keys) on your e-mail client, thesealternative screens will be shown:


16/43


Select Strong Encryption. Your Private Key requires a Password. Type and Confirm.

Click Finish, then OK.


17/43


The alternative screen for Exporting with the Private Key is shown.


18/43


If you need to import your certificate into Outlook, go to Outlook, Tools, Options, Security, Import

Export button. Click (Browse) your certificate location, the password you created and name it.Click OK.

To confirm or change the setup of your certificate and e-mail, open Outlook. From the Toolsmenu, click Optionsand then select the Securitytab. The following screen appears:

Click the Setup Secure E-mail button under the Secure e-mail section. The Change SecuritySettings dialog displays.


19/43


Outlook 2000 views your certificates, determines which ones are valid for e-mail encryption anddigital signatures, and chooses a certificate for each. If the certificates that Outlook selects are

not the ones you want to use, you can change the default selections.

Click the Choose button in the Encryption Certificate section to select a certif icate for e-mail

encryption. Note:CitiDirect Online Banking requires that the Encryption Certificate displayedhere matches the certificate that was uploaded to CitiDirect during the e-mail Delivery setup.

If the certificates do not match, use the dropdown menu to select the appropriate certificate andclick OK.

Note: You may want to change other settings on this page if you plan on using S/MIME to SENDmail to other individuals. Since you will not be sending S/MIME mail to CitiDirect, these choicesshould reflect your personal preferences.

Click OK to close the Change Security Settings dialog box and return to the Options dialog box.

Click Apply, and then click OK to close the Options dialog box.

1. Validating a E-mail Message SignatureFor Outlook 2000, you can validate the signature of a message by clicking on the certificate iconin the upper right hand corner. Clicking on the red certificate icon will open up a windowdetailing the signature that was used to sign the message. Ensure that the signature states that it

was signed by CitiDirect Online Banking.


20/43


Microsoft Outlook Express 5.X

Here are the steps needed to configure Outlook Express to read S/MIME Secure Mailmessages.

From the Tools menu, click Accounts, and then click the Mail tab. Select your mailaccount, and click the Properties button. Click the Security tab to display security-relatedproperties for your mail account.

In the Signing certificate area, click Select. The Select Default Account Digital ID dialogbox appears.

Click the certificate you would like to use. Outlook Express recognizes only thosecertificates for S/MIME use that include your e-mail address in the certificate's Subjectfield.

Note:CitiDirect requires that Encryption Certificate displayed here matches thecertificate that was uploaded to CitiDirect during the e-mail Delivery setup.

Note:You may want to change other settings on this page if you plan on using S/MIMEto SEND mail to other individuals. Since you will not be sending S/MIME mail to

CitiDirect, this choice should reflect your personal preferences.

Click Apply, and then click OK to close the Select Default Account Digital ID dialog box.

Click OK to close the Properties dialog box for your mail account.

Click Close to close the Internet Accounts dialog box.


21/43


Microsoft Outlook Express 4.0

The next screen you will see is the option to install the certificate in the browser/e-mailclient you want to use. In this, case Microsoft Outlook Express 5.X. Click the Install

button.

On the Tools menu, click Accounts.Click the Mail tab, click the mail account in which you want to use a digital ID, and thenclick Properties.On the Security tab, click the "Use a digital ID when sending secure messages from " check box to select it, and then click Digital ID.


If the certificates do not match, using the dropdowns, select the appropriate certificate

and select OK.

Note:You may want to change other settings on this page if you plan on using S/MIMEto SEND mail to other individuals. Since you will not be sending S/MIME mail toCitiDirect, this choice should reflect your personal preferences.

Click the appropriate certificate, click OK, and then click Close.

Note:If you do not have CitiDirects (the senders) certificate (Public Key) imported intoyour address book, Outlook Express displays the following security warning message:

The certificate used to sign this message is either not listed in your Address Book or

marked as not trusted by you. Continue to open this message?

If you have the sender's Public Key imported into your address book and the certificateis marked as Not Trusted By Me, Outlook Express displays the following securitywarning message:

You do not trust the certificate used to sign this message. Continue to open thismessage?


The next screen you will see is the option to install the certificate in the browser/e-mailclient you want to use. In this case Microsoft Outlook 98. Click the 'Install' button.

To import a downloaded Digital ID into your address book for Outlook 98:

Open "Contacts" from Outlook '98 (Click on the Contacts icon).Add CitiDirect (** need exact e-mail address here ****) to your contact list.Select the Certificates tab in the Contact window.Click on the "Import" button.Locate the Digital ID you downloaded from CitiDirect and click the Open button.


22/43


Click on "Save and close".

Note:CitiDirect requires that the Encryption Certificate matches the certificate that wasuploaded to CitiDirect during the e-mail delivery setup.

If the certificates do not match, make the appropriate changes using the supplied UserInterface and select OK.

Note:You may want to change other settings on this page if you plan on using S/MIME to SENDmail to other individuals. Since you will not be sending S/MIME mail to CitiDirect, this choice

should reflect your personal preferences.

Netscape 4.x (Communicator/Messenger)

What follows are instructions for getting a Digital ID for Sending/Receiving Secure

Messages (S/MIME) and Installing it in Netscape 4.X

Please refer to the following site for more information on using S/MIME with NetscapeMessenger.

http://www.verisign.com/smime/guide/nsemail.html

To get a digital certificate, you must first decide which CA (Certificate Authority) youwould like to use. If you follow, the Security, Certificates, Yours, Get a Certificate optionwithin Netscape, you will be taken to a page where you can pick from a predefined list ofCertificate Authorities. Pick a CA; follow its enrollment instructions for personal/e-mailcertificates. Towards the end of the process you will be prompted by Netscape to

generate a Private Key.

For Netscape Communicator you will be asked to generate your Private Key for thecertificate request. The following screen will appear.

Click OK to Continue. The next screen will require you to enter your password to access yourprivate keystore.


23/43


If you have recently installed Netscape on your system or have never used any of Netscape'ssecurity features, you may be asked to create and setup a Netscape Communicator password.

Citibank highly recommends taking this action. By doing so, you effectively prevent any individual,other than yourself, from managing, importing or exporting digital certificates on your machine.This password also restricts other individuals from sitting down at your machine and signing e-

mail messages with your digital ID.

Note:Be sure to remember your Communicator password. This is a Netscape function, included

with Communicator for your security. If you forget your password, you will not have access tomanage, deploy or use your digital ID. There is nothing your CA and/or Netscape can do in the

event that this happens and ANY digital certificates you may have will be rendered useless.

The Authentication Phase , carried out by your CA. Depending on the type of certificate you arerequesting this process might be quite simple or rather complex.

After you complete the enrollment process explained in the above steps, depending on your CA

and the type of certificate you requested, they will either e-mail you that your certificate isavailable or send you some form of postal mail. Irrespective of the mode of delivery, themessage will contain specific information on how you can pick up your Digital ID.

This mailing usually includes such items as a URL you can use to get your Digital ID along withsome form of PIN number.

Go to the URL included in the e-mail and complete the Certificate retrieval process.

Note: since you will be installing your Digital ID in Netscape, you must go to the pickup pageusing Netscape Communicator. This causes the Digital ID to be installed in your browser, in turn,allowing the Netscape Messenger client to locate it.

The Retrieval Phase consists of getting your certificate for use. For e-mail certificates, most CAwill notify you of your certificates availability using e-mail. For other certificate types, server, for

example, some certificate authorities use e-mail, others may use the postal service. Irrespectiveof the method of communication, most will provide you with a U.R.L. where you can retrieve yourcertificate online. Follow your CAs instructions for retrieving your certificate.

If you retrieve your certificate using Netscape (Communicator/Messenger), a series of windowswill be displayed requesting that you name and save your certificate.


24/43


Select OK to continue.

You may want to select the Save As button to keep a copy of your personal certificate for backuppurpose.

Click Continue. This completes the certificate retrieval process.

To verify that your Digital ID pickup has been successful installed in Netscape Communicatorclick on the Security tab at the top of the browser window.

Under Certificates, click Yours. Your named certificate should be displayed.

Your e-mail client is now ready to receive S/MIME messages.


25/43


Netscape Communicator/Messenger

To ensure security and privacy, Netscape Messenger provides encryption (scrambling)

and digital signing (authentication) of e-mail messages. Messenger's privacy featurescomply with the Secure Multipurpose Internet Mail Extensions (S/MIME) standard. TheS/MIME standard allows Messenger to send and receive encrypted messages andauthenticate received messages. Using the S/MIME standard, Messenger also providesfeatures that detect message tampering.

To enable Messenger with S/MIME follow these instructions:

Click the Security tab at the top of the Communicator windowsSelect Messenger from the pop-up windows left pane.

In the field requesting which certificate to use for singing and encrypting (Certificate for

your Signed and Encrypted Messages:) select your newly created certificate.


If the certificates do not match, using the dropdowns, select the appropriate certificateand select OK.

Note:You may want to change other settings on this page if you plan on using S/MIMEto SEND mail to other individuals. Since you will not be sending S/MIME mail toCitiDirect, these choices should reflect your personal preferences.

Click OK and close the Security Window.


26/43


Lotus Notes

You can import Internet certificates into your Notes User ID. You can also export

Internet certificates from your Notes User ID. Importing Internet certificates allows you touse them for SSL client authentication, and for encrypted and signed S/MIMEmessages. For example, if you are using a Netscape browser that is compliant withPublic Key Cryptographic Standard #12 (PKCS #12), and have Internet certificates andkeys (in compliance with PKCS #12) accessible from your local machine, you can importthem into your Notes User ID file. On the same note, if you have Internet certificates andkeys (in compliance with PKCS #12) in your Notes User ID file, you can export them to afile on your local machine and then import them to use with a Netscape browser.

To import Internet certificates into your User ID file

Choose File - Tools - User ID.Enter your Notes password.Click "More Options" and click "Import Internet Certificates."Select the file that contains the certificates in the "Specify PKCS12 File Containing theInternet Certificates" dialog box and then click Open.If the file is password protected, enter the password when prompted.Click "Accept All" in the "Accept Internet Certificates" dialog box to accept the certificatesand any Private Keys in the file.Enter your Notes password.

Note: To check that your certificates were imported into your ID file, choose File - Tools

- User ID and click Certificates. You cannot import invalid certificates, or incompletecertificate chains.


27/43


Retrieving the Citigroup CA (root) Certificate

This certificate is only required when the delivery method is e-mail. It allows you to automaticallytrust all certificates signed by Citibank.

You can retrieve Citigroups Certificate Authority (CA) Certificate by accessing Citibanks Website at the following location:

https://digitalcertificate.citigroup.com/cda-cgi/clientcgi?action=start

Note:

If you use one of the e-mail programs provided by Microsoft

(Outlook

, Express), youare required to access the above site using Microsoft IE.

If you are using Netscape

Messenger to receive your e-mail, you must access the siteusing the Netscape browser.

Instructions begin on the next page.


28/43


Retrieving the Citigroup CA (root) Certificate U sing IE:

Click on the link to retrieve the Citigroup Certificate Authority (CA) certificate.


29/43


The next screen will prompt you for a name for this CA. Please enter in something like thefollowing: Citigroup CA and select FINISH. The window will close and Citibanks CA will have

been installed in your browsers local keystore.


30/43


Retrieving the Citigroup CA (root) Certificate U sing Netscape:

Click on the link to Retrieve the Citigroup Certificate Authority (CA) certificate.Using a Netscape browser, a series of dialog will appear.

File and Report Processing via E-Mail

Understanding E -Mail Security (S/MIME)

An Internet mail message consists of a message header, which contains sender andrecipient information, and an optional message body. The message body can containplain text or contain multiple body parts or file attachments as defined by the MIMEstandard. MIME 1 defines a standard mechanism for incorporating multiple messagetypes in a single e-mail message. However, it does not define how to secure themessage body. S/MIME provides the required security extensions that let MIME entitiesencapsulate security objects, such as digital signatures and encrypted messages.Through these extensions, the privacy and integrity of your e-mail can be guaranteed.

1MIME is defined in Request for Comments (RFC) 2045 through 2049. It defines how a

message body can contain data types other than flat ASCII.


31/43


While the actual risk or likelihood of interception is relatively low, without S/MIME, someone alonga message's journey could conceivably intercept one or more of these chunks of plain text and

read at least part, if not all, of your message. To use a traditional postal analogy, this is similar tosending a postcard, where anyone who encounters that card along its way can read, and perhaps

even modify, the message you write on the back of the card. Moreover, someone could write apostcard and forge your name and address on it, making their message appear to have comefrom you. Given the sensitive nature of the information being transferred to CitiDirect, protectingthe message during transit is of utmost importance.

To ensure the privacy and integrity of the data transmitted from CitiDirect to you, CitiDirect haschosen to utilize S/MIME

2(Secure Multipurpose Internet Mail Extension) standard. S/MIME was

designed to add security to e-mail messages in MIME format. The S/MIME standard was chosensince it has established itself as the de-facto standard for e-mail security within the industry.Moreover, S/MIME relies on state of the art Public Key cryptography and is supported in most of

the popular e-mail programs on the market today. Popular e-mail programs (including Microsoft

Outlook

Express and Outlook 2000, as well as Netscape Communicator/Messenger) not only

support S/MIME but actually interoperate with each other.

This decision enables us to apply a full set of security functions to e-mail. These functionsinclude:

Confidentiality - provided by the use of 128bit DES strong encryption;

Integrity - provided by the use of SHA-1 Digital Signatures;

Authentication - provided by the use of X.509 Digital Certificates;

Proof of a transaction or 'Non-Repudiation' as define by the Public Key Infrastructure

(PKI)

End-User Certificate Requirements (e-mail)

Given that S/MIME relies on PKI, you will need to acquire a Personal E-mail Certificate(X.509) from an independent Certifying Authority (CA). Two of the most popular

certificate authorities are:http://www.verisign.com/http://www.thawte.com/

CitiDirect recommends using S/MIME with the following symmetric encryptionalgorithms:? Triple DES (more correctly DES ECE3 in CBC) using 168-bit key.? RC2 encryption in CBC mode using 128-bit key

You will also need to obtain another certificate for each end-user, which will allow you toautomatically trust all certificates signed by Citibank.

This certificate, Citigroups (Citibank) CA certificate, is obtained by accessing CitibanksWeb site at the following location:

https://digitalcertificate.citigroup.com/cda-cgi/clientcgi?action=start

Note: If you are using Netscape Messenger to receive your e-mail you must access thesite above using the Netscape browser. If you would like to use Microsofts e-mail

2S/MIME 3.0 became an Internet Engineering Task Force (IETF) approved standard In June

1999. Please refer to Requests for Comments (RFCs) 2632 through 2634 for further details onthis standard.


32/43


programs (Outlook, Express), you are required to access the above site using MicrosoftIE.

Additional details on obtaining and installing this certificate can be found in the Setup Detailssection of this Installation and Configuration Guide, but the Web site will also guide you through

the process.

General Characteristics of AFRD E -Mail Delivery

Only one e-mail address may be specified for each automated e-mail delivery schedule.

Our mail server imposes a file size limitation of 25mb.

Due to its nature, e-mail delivery is NOT GUARANTEED. CitiDirect will know onlywhether it has successfully submitted the e-mail to the mail system processor (SMTPserver) for delivery. CitiDirect will not know whether e-mail subsequently reached itsintended recipient.

You may apply different processing controls to your e-mail activities. For example, youmay configure your e-mail servers to reject e-mails with attachments that are greaterthan a certain size. Or you may defer delivery of e-mails with such attachments. Youalso may require administrative procedures to accept receipt of e-mails from a restrictedlist of domains outside of the company, etc.

CitiDirect Processing (Sign, Encrypt and Send)

To guarantee message privacy, CitiDirect Online Banking will encrypt all mail using theTripleDES algorithm (symmetric cipher), and a randomly generated secret key

(generated per message). CitiDirect will then apply a one-way hash (SHA-1) on theencrypted data to obtain a checksum of the data. CitiDirect will then apply a DigitalSignature to the message by encrypting the checksum (using an asymmetric cipher)using its own Private Key. The session key is then encrypted using the recipients PublicKey so that it can be retrieved by you as the recipient. All of these objects/structures arethen assembled into an e-mail message and sent using SMTP (e-mail protocol) to therecipients e-mail address.

Client Processing (Verify Signature, Decrypt and View)

For you to decrypt and verify the integrity of the message, you must have obtained the root CAcertificate of Citibank. Please refer to the section entitled Setup Details for more information onhow to obtain it.

Assuming you have an S/MIME aware e-mail program, when the e-mail arrives at your inbox, thefollowing steps are performed:

1. You receive a warning message stating that the message is encrypted. Depending onthe e-mail program, you may have to select some option to continue processing the

message.2. The session key information (protecting the message) is decrypted using your Private

(secret) Key.

3. The message signature is validated using the Public Key of Citibank (and/or CitiDirectOnline Bankings Public Key which were previously obtained).


33/43


4. The message is decrypted for viewing/processing.

If your e-mail program only displays two file attachments with the extension *.p7m and/or *.pls,then your e-mail program either does not support S/MIME or has not been properly configured.

Please check your e-mail products installation and configuration documentation for enabling

S/MIME functionality.

S/MIME E-Mail Support

The following table highlights those e-mail programs that support S/MIME and shouldfunction properly with CitiDirect Online Bankings Automated File and Report DeliveryService.

E-mail Program CitiDirectTested

Comments

Microsoft Outlook 98 NO Requires security patch

Microsoft Outlook Express 5.X YES Windows version only (Not on the Mac)

Microsoft Outlook 2000 YES Supports S/MIME

Microsoft Outlook Mac version8.21 or greater

NO Supports S/MIME

Microsoft Outlook Express 4.X NO Supports S/MIME

Netscape Communicator 4.x YES WinTel version only but NOT version 6.X

Novel Groupwise 6.0 NO Supports S/MIME

Eudora Pro YES Requires Plug-in (Entrust) (Mac notsupported)

For instructions on importing a certificate into the various e-mail programs, please referto your e-mail users guide. Instructions for some popular e-mail programs can belocated in a later section of this document.

E-Mail Programs that do NOT Support S/MIME

The following table illustrates some popular e-mail programs that either do not functionproperly for AFRD, or do not support the S/MIME standard.

Program Comments

Microsoft Outlook Express All Mac versions are NOT Supported

MS Exchange Client (all versions) NOT supported

Netscape Communicator Version prior to 4.X are NOT supportedOn WinTel version 6.0 is NOT supported

All other platforms are NOT supported

One vendor that supports various e-mail systems is Baltimore Technologies, found at:

http://www.baltimore.com/securityapplications/mailsecure/index.html

Baltimore Technologies MailSecure S/MIME enables the following e-mail programs:

Microsoft Exchange

MicrosoftOutlook

Lotus Notes Qualcomm Eudora

Please Note: That this information is being presented here solely as a point of reference. Othercommercial e-mail plug-in providers exist. You can choose what e-mail plug-in they require (ifany) based on their corporate security policies and procedures.


34/43


S/MIME Plug-ins for Entrust Enterprise Certificates

The Entrust Entelligence E-mail Plug-in (currently called Entrust Express), along withEntrust Entelligence 6.0 can be used with a variety of e-mail applications such asMicrosoft Exchange, Microsoft Outlook, and Lotus Notes.

It can be obtained through Citigroup or from the Entrust Web site located at:http://www.entrust.com/entelligence/email/index.htm).

Please note:That if you are required (and/or prefer) to utilize Entrust Enterprisecertificates to secure your e-mail communication, the Entrust Express e-mail plug-inmust also be used with your e-mail program regardless of whether or not the programsupports S/MIME natively.

AFRD Installation/Requirements Check List

Client Functionality Requested

Scheduled Reports to Browser Type A Scheduled Export File(s) via E-mail Type B

Scheduled Reports via E-mail Type B Scheduled Export File(s) via HTTPS Type C

Scheduled Reports via HTTPS Type C Scheduled Import File(s) via HTTPS Type C

Reports via HTTPS (SSL Encryption Only) Type D

Exports File(s) via HTTPS (SSL Encryption Only)Type D

Type A Requirements

No special requirements covered by in-session SSL.

Type B Requirements SMTP S/MIME (e-mail)

Digital Certificate (Web cert for end-user)

X.509 compliant

Triple DES (DES ECE3 in CBC) using 168-bit key

RC2 encryption in CBC mode using 128-bit key

S/MIME Aware E-mail Client such as:

Microsoft Outlook Express 5.X (Windows version only)


Netscape Communicator 4.X (WinTel version only but not version 6.X)


35/43


Mail Server that supports native S/MIME such as:

Exchange

HP OpenMail configured for IMAP or POP3 (not MAPI)

Type C Requirements HTTPS (Web server)

Install a Web Server (if one is not already available)

Microsoft IIS Version 4.X and above

Netscape/iPlanet Web Server Version 4.X and above

Apache HTTP Server (plus OPENSSL or mod SSL) Version 1.3 and above

Enable Secure Sockets Layer SSL (if not already enabled)

Minimum encryption strength is 128-bit, 1024-bit session keys)

Activate SSL security (on folder or root level)

Other SSL configuration requirements

Create a user account for the exclusive use by CitiDirect

GET functionality must be enabled for file Import

PUT functionality must be enabled for file Export

Dedicated Internet connection minimum T1 (1.54Mbps)

HTTPS connection on Port 443 for GET & PUT

Acquire Digital Certificate from a Certificate Authority (CA) Certificate must be an SLL Server Certificate on Citibank approved list (see appendix)

Must support 128-bit encryption, 1024-bit session keys

Create a CitiDirect user (User ID and Password) on your Web server

Citibank recommends password to be at least 6 characters in length and changedfrequently

NOTE when you change this password please ensure that it is changed inCitiDirect (Delivery Options Library) as well in order to avoid scheduled job fails

NOTE you will provide this information to Citibank during the definition phase ofDelivery Method (File Delivery scheduling process)

Establish Access Rights for this CitiDirect User

For Export write (PUT) authorization is required

For Import read (GET) authorization is required

Ensure that access is given to the appropriate directory location(s)

Ensure that the assigned directories are restricted to any/all other users


36/43


If there will be multiple Import Files then ensure that the HTTP LIST command is alsoenabled for the specified directory and user

Minimum Configuration Parameters for SLL v3 Cipher Suite

RC4 or RC5 symmetric algorithm with 128-bit cipher strength RSA Public Key Algorithm with 1024-bit key strength

SHA1 Message Authentication Hash / Digest Algorithm

NOTE CitiDirect supported SSLv3 ciphers include;

RC4 with MD5

RC2 with MD5

Triple DES with MD5

End-User Software and Certificate Requirements

PCKS-7 standard

Entrust Entelligence 6.0 software (can be obtained from Citibank)

Ports to be opened if thru Citigroup

389 to check certificates against our directory services;

709 to send certificates to our CA;

And 829 to renew the certificate.

Use Entelligence to retrieve enterprise certificate from Citigroup

Type D Requirements HTTPS - SSL Encryption Only (Webserver)

Exact same requirements documented for Type C except there is no end-usersoftware or certificate requirements. A customer can select to have data files andreports delivered through an encrypted SSL session without extra encryption on thefile and/or report itself.

This security method is named None with SSL and can be configured within the

Delivery option table found online in CitiDirect. Currently, this applies to files andreports delivered from CitiDirect AFRD to the customer. Payment files originatingfrom the client for import into CitiDirect require file encryption.


37/43


When the New Certificate Authority windows displays, click NEXT to continue.


38/43


Another window will appear explaining the role of a Certificate Authority. Click Next to continue.


39/43


Another window displays where you can view (More Info) Citibanks Public Key information.Select More Info for certificate details. When complete select NEXT to continue.


40/43


After selecting NEXT, the above window appears where you MUST select at least the option forusing the Citibank CA to certify e-mail users since Citibank will be sending you files signed usingour Public Key.


41/43


Depending on your comfort level, please choose the appropriate option above and select NEXT.


42/43


The next screen will prompt you for a name for this CA. Please enter in something like thefollowing Citigroup CA and select FINISH. The window will close and Citibanks CA will havebeen installed in your browsers local keystore.


43/43

Disclaimer

The authoritative and official text of this CitiDirect Online Banking documentation shallbe in the English language as used in the United States of America. Any translation ofany CitiDirect documentation from English to another language is done solely for theconvenience of the reader, and any inconsistencies, or inaccuracies between theEnglish text and that translation shall be resolved in favor of the English text.

These materials are proprietary and confidential to Citibank, N.A., and are intended forthe exclusive use of CitiDirect Online Banking customers. The foregoing statement shallappear on all copies of these materials made by you in whatever form and by whatevermeans, electronic or mechanical, including photocopying or in any information storage

system. In addition, no copy of these materials shall be disclosed to third parties withoutexpress written authorization of Citibank, N.A.

Customer shall be solely responsible for the use of any User identifications, passwordsand authentication codes that may be provided to it, from time to time, in connection withCitiDirect Online Banking (collectively, "User IDs"). Customer agrees to keep all UserIDs strictly confidential at all times. Customer shall immediately cease use of CitiDirectOnline Banking if it receives notification from Citibank, or otherwise becomes aware of,or suspects, a technical failure or security breach. Customer shall immediately notifyCitibank if it becomes aware of, or suspects, a technical failure or security breach.

April, 2005

2005 Citibank, N.A. All rights reserved.CITIBANK, CITIDIRECT, WORLDLINK, CITIGROUP, and the Umbrella Device are trademarksand service marks of Citicorp or its affiliates and are used and registered throughout the world.

Adobe, Acrobat, Reader are either registered trademarks or trademarks of Adobe SystemsIncorporated in the United States and/or other countries. Actuate is a registered trademark ofActuate Corporation. Microsoft, Outlook and Windows are either registered trademarks or

trademarks of Microsoft Corporation in the United States and/or other countries. VeriSign andThawte are registered trademarks of VeriSign in the United States and/or other countries. Allother brands, products, and service names mentioned are trademarks or registered trademarks of

their respective owners.

Documents

Email Setup